This script deletes the network database, all database archive files, all server logs, all issue details, all files stored in the administrator shell directory and all user logins. This script also resets the administrator password to 'admin' and erases all customer-specific configuration information.

$ ssh -i netrmi-backdoor [email protected] NetMRI VM-AD30-5C6CE ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS. Last login: Mon Mar 13 17:00:07 2017 from 1.3.3.7

************************************************************************ ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS. ************************************************************************

There is no known remediation for this vulnerability from the vendor. Administrators should heavily restrict access to any account of any privilege which can use the ping command in the NetMRI CLI.

Network access to management interfaces should be properly segmented.

Assuming the lack of input sanitation in the NetMRI CLI is not addressed: Use that vulnerability to check for the existence any SSH keys. No keys should be present.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

6. Disclosure Timeline

2017.07.21 - KoreLogic requests security contact and PGP key from Infoblox. 2017.07.21 - Infoblox suggests '[email protected]' with PGP key id 0xC4AB2799. 2017.07.24 - KoreLogic submits vulnerability information to Infoblox. 2017.07.31 - 5 business days have elapsed since the vulnerability was reported. No response from Infoblox. 2017.09.15 - KoreLogic requests update from Infoblox. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to Infoblox. 2017.10.17 - KoreLogic requests an update from Infoblox. 2017.10.18 - 60 business days have elapsed since the vulnerability was reported to Infoblox. 2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017KoreLogic, Inc. and are licensed under a Creative CommonsAttribution Share-Alike 4.0 (United States) License:http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with aproven track record of providing security services to entitiesranging from Fortune 500 to small and mid-sized companies. Weare a highly skilled team of senior security consultants doingby-hand security assessments for the most important networks inthe U.S. and around the world. We are also developers of varioustools and resources aimed at helping the security community.https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt